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This paper re-evaluates the security of a chaotic image encryption algorithm called 
MCKBA/HCKBA and finds that it can be broken efficiently with two known plain-images and 
the corresponding cipher-images. In addition, it is reported that a previously proposed breaking 
on MCKBA/HCKBA can be further improved by reducing the number of chosen plain- images 
to two from four. The two attacks are both based on some properties of solving a composite 
function involving carry bit, which is composed of modulo addition and bitwise OR operations. 
Both rigorous theoretical analysis and detailed experimental results are provided to support the 
found points. 
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^ 22 1. Introduction 
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23 The subtle similarities between chaos and cryptography make chaos considered as a special way to design 

24 secure and efficient encryption schemes [Chen et al. 2004, 2011|. Meanwhile, some cryptanalysis work 



25 demonstrated that some chaos-based encryption schemes are vulnerable to various conventional attacks 



26 from the viewpoint of modern cryptology |Li et al. 


2004 




Xiao et al. 




2006 




Solak et al. 




2010a| 


b . In 


27 addition, some specific security flaws of chaos-based encryption schemes 


were reported Zhou & Au 




2011 



Chen et al. 



2012 



Alvarez &l Li 



2006 



concluded some general approaches to evaluating security of chaos- 

29 based encryption schemes. 

30 Due to the simplicity and low computation complexity of bitwise exclusive OR operation and modulo 

31 addition, they are widely used in traditional text encryption schemes and hash functions. Possible genera- 

32 tion of carry bit by the modulo addition makes the two operations are neither identical nor interchangeable. 

33 Some properties existing in multi-round combination of the two basic operations were derived to facilitate 

34 differential attacks on some traditional text encryption schemes or searching collision of hash functions 

35 [Paul fc Preneel 2005; Wang et al.\ 2005[ . Among many chaos-based encryption schemes, the two oper- 
36|^tions are the basic involved (even only) substitution functions. In Li et al. , 2005 , Li et al. , 2006 , [Li] 



* Corresponding author, chengqingg@gmail.coni 



37 
38 

39 
40 
41 
42 
43 

44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 

59 
60 
61 
62 

63 

64 
65 
66 
67 
68 
69 
70 

71 

72 
73 
74 

75 
76 
77 
78 
79 



2 C. Li et al. 



et al. , 2008 , and Li et al. , 2009 , the following properties about n-bit integers a, (3, 7, x, y were found to 



support or enhance the proposed attacks on the corresponding encryption schemes in turn. 

If a ® /? = 2" — 1, then equation (a © x) = (/? © -j- 7 has unique solution modulo 2"~^, where 
(a + 6) = (a + b) mod 2"; 

Equation |(a © /3) - (/3 © 7)] = |(a © /3) - (/3 © 7)] always exists; 
If a © /3 = 7, then |a - /3| < 7; 

If (((x + a) © /3) + 7) EE X © y, then y = f3 (mod 2"-^). 

In 2000, Yen et al. proposed a chaotic key-based algorithm (CKBA) by encrypting each pixel of a 
plain- image by four possible operations: XORing or XNORing it with one of two predefined sub- keys. The 
exerted operation is determined by a pseudo-random number sequence (PRNS) generated by iterating 
the logistic map Yen & Guo, 2000 . In 2002, S. Li et al. broke CKBA with only one known/chosen- 
image in [Li fc Zheng 2002 . In 2005, Socek et al. proposed an enhanced version of CKBA (ECKBA) 
employing the following four methods: 1) replacing the logistic map with a piecewise linear chaotic map 
(PWLCM); 2) increasing the bit length of secret key to 128; 3) adding a modulo addition and an XOR 
operation; 4) running all the basic encryption functions multiple times. To achieve a much better balance 
between encryption load and security of high level, in 2007 Rao et al. proposed a modified version of 



et al. 



pKBA (MCKBA) in Rao & Gangadhar, 2007 by employing a modular addition operation like [Socek 



2005[. To further enhance the security of MCKBA against brute- force attack, in 2010 Gangadhar et 

and 



2004 



al. replaces the logistic map with a simple hyperchaos generator proposed in Takahashi et al 
names the algorithm HCKBA (Hyper Chaotic-Key Based Alg orithm) [Gangadhar Sz Rao 2010 . Since the 
two schemes MCKBA and HCKBA share the same structure, [Li et al. \2011 analyzed them together and 
reported the following points: 

Equivalent secret key of MCKBA/HCKBA can be obtained from four pairs of chosen-plaintexts; 
Encryption result of MCKBA/HCKBA is not sensitive to changes of plain-image; 
Encryption result of MCKBA is not sensitive to changes of two sub-keys. 
The lower bound on the number of queries (a, /3) to solve unknown variable x in equation 



y = [a + x) ® {(3 + x) 



in terms of modulo 2" is 3 if n > 4 



(1) 



some 



This paper re-evaluates the security of MCKBA/HCKBA and reports the following points: 1 
properties of Eq. ([T]) are provided to support practical approaches to solving Eq. ([l]); 2) MCKBA/HCKBA 



can be efficiently broken with two known-plaintexts; 3) the chosen-plaintext attack proposed in [Li et al. 
2011[ can be further improved and the number of required chosen-plaintexts is only two 



The rest of this paper is organized as follows. The image encryption algorithm under study is briefiy 
introduced in Sec. [2] A known-plaintext attack and an improved chosen-plaintext attack on the algorithm 
is presented in Sec. [3] with experimental results. The last section concludes this paper. 

2. The Chaotic Image Encryption Algorithm Under Study 

The encryption object of MCKBA is a gray-scale image of size M x N (width x height), which is scanned in 
the raster order and represented as a one dimensional sequence / = {I{i)}fi^-\ Then, a binary sequence 
Ih = Ub(0}f=o^"^ i'^ constructed, where E}=o^b(8 ■ i + j) ■ 2^ = H^) for i = ~ MN - 1. With a 
ined integer parameter n, an n-bit number sequence J = {</(fe)}[=o^^^"^ ^ is generated, where 
^"~Q Ib{n • k + j) ■ 2K In case (8MA^) is not a multiple of n. the sequence /f, is padded with some 



zero bits. Without loss of generality, it is assumed that n can divide (8MA^) in this paper. MCKBA operates 
on the intermediate sequence J and obtains J' = {^'(A;)}^^^q^^" ^, where J'{k) = X]"=o -^bl'^ ' k + j) • 



Finally, cipher-image I' 



is obtained via I'ik^ 



, / ^(S • fc -I- i) ■ 2K Based on the above 
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preliminary introduction, MCKBA is described with the following four part^ 

• The secret key: Two random numbers keyi, key2 G {0, • • • ,2"^ — 1}, and the initial condition x(0) G (0, 1) 
of the logistic map 



x{k + l) = 3.9- x(/c) • (1 -x(/c)), 



(2) 



Z]j=o ■ 2-^' ^^^2 = I]j=o ^'^y^J ■ 2-^, and ® denotes 



n-l 



where YJ!j=l{keyij ® key2,j) = \n/2\, keyi 
the exclusive OR (XOR) operation. 
• Initialization: Run Eq. (2) iteratively to generate a sequence {x{k)}^^^^'^^^ ^ 

.16MN/n-l 



and derive a pseudo- 
random binary sequence (PRBS), {&(0}i^=o^^'^" ^) from the 32-bit binary representation of elements of 



the sequence, namely x{k) = X]j=i ^(32 • A; -|- j — 1) • 2 

Encryption: For A; = ~ 8MN/n — 1, encrypt the k-th plain-element of J via 



J'{k) 



' {J{k) + keyx) ® keyx if = 3 

i J{k) + keyi) Q keyi H B{k) = 2 

{J{k) + key2) ® key2 if B{k) = 1 

[ ( J(A;) + key2) feeyz if B{k) = 



(3) 



where B{k) = 2 • 6(2/c) + b{2k + 1), and a 6 = o ® 6 = a ® 6. 

Decryption: The decryption procedure is similar to that of the encryption except that Eq. Q is replaced 
by 



' {J'{k)ekeyi)-keyi iiB{k) = 3 

{J'{k)®k^i)-keyi ifB{k) = 2 

{J'{k) © key2)-key2 if B{k) = 1 

{J'{k)ek^)-key2 ifB{k) = 



(4) 



where a—b = {a — b + 2") mod 2". 



93 3. Cryptanalysis 

94 Assume that two plain-images and the corresponding cipher-images encrypted with the same secret key are 

95 available, and let Ji = {Ji{k)}^f^^^^^ ^ and J2 = {J2{k)}^J^^^" ^ denote the corresponding intermediate 

96 sequences, respectively. Then, one can assure that the two sequences and the corresponding encrypted 

97 results J( = {Ji{k)}^J^^^^ ^ and = {>/2(^)}fcffc)^''" ^ satisfy 

j>(,. j,(r.^Uji{k) + keyi)(B{J2{k) + keyi) if G {2, 3}; 
^ ^ \{Jiik) + key2) e {J2{k) + key2) if G {0, 1}. 

98 No matter what the value of B{k) is, the above equation can be represented in the form of Eq. ([T]). In 

99 this section, we first present some properties of the kernel function ([T]) on obtaining its solution and then 

100 illustrate how to obtain an equivalent secret key of MCKBA /HCKB A with two known plain-images and 

101 two chosen plain-images, respectively. 

102 3.1. Some properties of the kernel function 

103 Property 1. Equivalent form of Eq. ([T]) 

y = y © a © /3 = (a + x) © (/3 + x) © a © /3 (6) 



""^ Since the sole difference between MCKBA and HCKB A is the generator of PRBS, only MCKBA is introduced here with a 
concise and consistent form to illustrate the encryption procedure. 



4 C. Li et al. 



104 can be represented as an iteration form 

m+i = ci+i © cj+i, 

Q+l = {Xi ■ Oi) © {Xi ■ Ci) © (Oj • Ci), (7) 

Cj+1 = (xi • (3i) © (xj • Ci) © (A • Cj), 

105 where co = 0, cq = 0, x = Y17=o ■2\a = YhZq oh ■2\ (3 = YIIZq Pi ■2\y = Y17=o Vi " 2* (These notations 

106 are the same hereinafter.). 

107 Proof. Let Cj+i denote the carry bit generated by x and a in the i-th bit plane. Set cq = 0, we has q+i 

108 from Ci and via 

Cj+i = {xi ■ ai) © (xi ■ a) © (aj • a) (8) 

for z = ~ n — 2. Similarly, let Cj+i denote the carry bit generated by x and {3 in the i-th bit plane. Set 
Co = 0, we can then obtain 

Ci+i = {xi ■ /3i) © {xi ■ Ci) © {/3i ■ Ci) 

109 for i = ~ n — 2. Obviously, yo = (oq © ^^o) © (/?o © xq) © ao © /^o = 0. Then, the (i + l)-th bit plane of 
no Eq. ^ can be represented as 

iji+i = [ui+i © Cj+i © Xj+i) © (/3j+i © Ci+i © Xi+i) © Oj+i © /3j+i 

= Q+l © Cj+l, 

111 where i = 0~n — 2. So, can be easily calculated iteratively according to Eq. ([7|fori = 0~n — 2, 

112 which can also be done via checking Table 1 listing the values of yi+i under all possible different values of 
ai,(3i,yi,Xi, and q. ■ 



Table 1. The values of j/i+i corresponding to the values of ai, Pi, yi,Xi, and Cj. 











{a^ 


,l3i,yi) 








(0,0,0) 


(0,0,1) 


(0,1,0) 


(0,1, i; 


) (1,0,0) 


(1,0,1) 


(1,1,0) 


(1,1,1) 


(0, 0) 
(0, 1) 












1 


1 






1 




1 






1 
1 


(1,0) 





1 


1 


1 


1 











(1, 1) 





1 











1 









113 

114 Property 2. Given (a,, yj, yj+i), no information about Xj, q and q can be obtained (Note that cq and 

115 Co are excluded since they are pre-defined constants.) if and only if (4aj -|- 2/3j -|- yi) G {0, 6}. 

116 Proof. Since only the data in the 0, 6-th column (zero-based) of Table 1 are identical, it is impossible to 

117 obtain any information about Xi, Ci and q from (a^, Pi, yi, jji+i) if and only if (4aj -|- 2/3j -|- yi) G {0, 6}. ■ 

118 Property 3. Given (a,, (3i, yi, yj+i), the unknown bit Xi can be determined via = Qj © y^+i, if and only 

119 if {iai + 2f3i + yi) £{1,7}. 

120 Proof Only under the cases shown in the 1, 7-th column of Table 1, Xi can be determined by {oi, j3i, i/j, yj+i) 

121 without knowledge of Cj. It is easy to verify that Xi = ai® yi+i in terms of value. ■ 

122 Property 4. Given (ui, f3i,yi,yi+i), carry bits Cj and Cj can be determined via Cj = /3j © yi+i and q = 

123 Pi © iji+i © iji if and only if (4ai + 2^ + m) € {3, 5}. 

124 Proof. Only under the cases shown in the 3, 5-th column of Table 1, Cj can be determined by (oj, /3j, i/j, yj+i) 

125 without knowledge of Xj. It is easy to verify that Cj = /3j © y^+i in terms of value. Then, one can obtain 

126 Ci = Pi® iji+i © yi since Ci = Ci®yi. ■ 



Breaking a chaotic image encryption algorithm based on modulo addition and XOR operation 5 



127 Property 5. Given (oj, (3i,yi, yj+i), the scope of the unknown bits be narrowed via 

(^^^^^^ J{(0,0),(1,1)} if^.,,=0; 

^ " \{(0,1),(1,0)} ifym = l, ^ ^ 

128 if and only if {ioi + 2Pi + yi) G {2, 4}. 

129 Proof. Referring to the cases shown in the 2, 4-th column of Table 1, the scope of (xj, Cj) can be narrowed 

130 according to value of yi+i- It is easy to obtain Eq. ([9| from Table 1. Therefore, the "if part of the property 

131 is proven. Note that the number of possible values of (4ai + 2/3j + jji) is only eight, and the sufficient 

132 and necessary conditions on obtaining different information on Xi and q under other six cases have been 

133 presented. Therefore, the "only if part of the property is also proven. ■ 

134 3.2. Known-plaintext attack 

135 Known-plaintext attack is one of the classic attack models where the attacker (or cryptanalyst) can access 

136 both some plaintext and the corresponding encryption results encrypted with the same secret key. In 



137 [Gangadhar &: Rao 2010, Sec. 3.2], the original authors claimed that HCKBA has strong vulnerability 

138 against known-plaintext attack. However, we found MCKBA/HCKBA is very weak against the attack, 

139 which is supported by the properties of Eq. ([T]) shown in the previous subsection. 

140 Under the scenario of known-plaintext attack, breaking MCKBA/HCKBA is to determine its equiv- 

141 alent secret key, keyl, key2 and {B{k)}^!^^^^ ^, by solving Eq. (5) and utilizing some properties of 

142 MCKBA/HCKBA. From Proposition [T| one can see that some bits oikeyl or key2 can be obtained from 

143 Eq. ([5]) for any A; G {0, • • • , 8MN/n — 1}, where the other unknown bits are just set as zero. Let key{k) 

144 denote the obtained solution of Eq. ([s]) and s{k,i) represent key{k)i is confirmed definitely or not, i.e. set 



152 



s{k,i) = 1 if key{k)i is confirmed by Eq. (10), Eq. (11), or Eq. ( |13| ), otherwise set key{k)i = 0, where 
key{k) = Y1^=q key{k)i ■ 2*, and /c = ~ 8MN/n — 1. Then, one may reconstruct set {keyl, key2} from 
{/cey(A;)}^ffJ^^" ^ and {s{k, ^ by identifying and combining the known bits belonging to the 

same number, which is described by the following steps. 

• Step 1): Set K = {A:ey(0),A;ey(l),-- - ,key{8MN /n - I)}. 

• Step 2): Search for two elements in K whose number of confirmed bits are most but the confirmed bits 
of the two elements are not all the same. Let Seed{Q) and Seed{l) denote the two seed elements and 
delete them from K. 

153 • Step 3): Check each element of K in turn and do the following two operations if it has one confirmed bit 

154 which is different from that of Seed{i): 1) update Seed{\ — i) by combining all the confirmed bits of the 

155 element into that of 5*66^(1 — i)] 2) delete the element from K, where i G {0, 1}. 

156 • Step 4)'- Repeat Step 3) iteratively till the numbers of confirmed bits of 5*66^(0) and Seed{l) are not 

157 increased in the whole step. 

158 • Step 5): Terminate the whole search operation when all bits of 5*66^(0) and 5*66^(1) are confirmed bits. 

159 • Step 6): Repeat Step 2) through Step 5) till the cardinality of IC is less than 2. 

160 Proposition 1. Given a, /3, y, the hits among the (n — 1) least significant hits of x in Eq. whose change 

161 can cause inexistence of Eq. can he determined from the least significant hit to the most significant 

162 one. 



163 Proof. The concrete approaches to solving Eq. ([T]) and determining the carry bits can be divided into the 

164 following two classes of operations. 

165 • Obtaining information on xq and c\: According to how much information on xq and c\ can be obtained, 

166 (ao, /3o, yo) is classified as the following two cases. 

167 (a) (4ao + 2/3o + yo) G {0, 6}: Referring to Property 2, xq can not be determined in this case, but one can 

168 obtain ci = if = 0. 
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169 (b) (4ao + 2/3o + yo) £ {2, 4}: As cq = 0, one can obtain 



" (10) 
\i its, = 1, 

from Eq. ([9|. Then, one can further obtain 

'O ifyi = 0; 
ci = \1 if ao = 1 and yi = 1; 
if /3o = 1 and yi = 1 . 

170 • Obtaining information on Xi, Xi-i, Ci and Cj+i for i = 1 ~ n — 2: According to how much information 

171 on Xi, Xi-i, Ci and Cj+i can be obtained by checking {ai,l3i,yi) and the obtained information on a for 

172 i = 1 ~ n — 2 in order, which is categorized as the following four case^ 

173 (a) (4aj + 2/3i + yj) € {0, 6}: Referring to Property 2, no information on x can be determined in this case. 

174 The value of Cj+i can be determined by Eq. ([s]) if ({(cj + ai), {ci + f]{0, 2}) 7^ is known. 

175 (b) (4ai + 2/?i + yi) E {1, 7}: One has 

Xi = ai® yi+i (11) 

176 from Property 3. If q has been determined, one can obtain Cj+i. Even q is still unknown, one can 

177 confirm Cj+i by Eq. ([s]) if {ai + Xj) = or (oj + Xi) = 2 is known. 

178 (c) (4aj + 2/3j + y-j) G {2, 4}: If Cj has been determined, based on Property 5 one can obtain 

= = (12) 

[yi+1 if Ci = 0, 

179 and further confirm the value of Ci+i. 

180 (d) (4ai + 2/3i + yi) E {3, 5}: Referring to Property 4, one can obtain a = (3i(Byi+i- If Xi-i is still unknown 

181 but Ci_i is known, one can obtain 

' 1 if Ci = 1 and (ci_i + ai-i) = 1 is known; 

_ 1 if Ci = 1 and (ci_i + /3i_i) = 1 is known; 

if Ci = and (ci_i + Oi-i) = is known; 

if Ci = and (ci_i + /3i-i) = is known. 



Let us study the probability on obtaining Xi and Ci with one pair of a, (3 and y under assumption 
that a, P and x distributes over {0, • • • , 2" — 1} uniformly. First, one has Prob{cQ = 1) = and Proh{ci = 
1) = |Pro6(ci_i = 1) + ^Prob{ci-i = 0) for i = 1 ~ n — 1. Solve the iteration function, one can obtain 
Prob{ci = 1) = Observe Table 1, one has Prob{yQ = 0) = 1 and 

Probim = 0)=Prob{yi-i = 0) (^Probid-i = " ^ + ^ 4) + = " ^ + ^ " ^)) 

+Prob{yi^i = 1) (pro6(c,_i = 0) Q • ^ + ^ • + Pro6(ci_i = 1) Q • 1 + 1 • 



^Pro6(yi_i = 0) + ^Pro6(y,_i = 1) 



for i = 1 ~ n — 1. Solve the iteration function, one can obtain 

2 

3 3"- 4 



Prob{yi = 0) = l + -^. (14) 



As confirmation of Ci is equivalent to that of c^, the latter is not mentioned. 
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From the proof of Proposition 1, one can first calculate Prob[co] = 1, Prob[ci] = j + 5"5 + 5"5 = i and 
Prob[c^] = ^Prob{yi^i = 0)Pro6[c,_i]^ + ^Prob{yi^i = 1) • (^Prob[c,^i] + (1 - Pro6[Q_i]) • ^ 

+ ^Prob{yi-i = 0)Prob[ci^i] + ^Prob{m^i = 1) 
=Prob[ci^i] Qpro6(yi_i = 0) + + ^Prob{yi^i = 1) 

for i = 2 ~ n — 2, where Prob[a\ denotes the probability that the bit a can be confirmed. Finally, one has 
Prob[xo] = \ and 

Prob[xi\ = -Prob{yi = 0) + -Prob{yi = 0)Prob[ci] 

+^Probiyi+i = 1) f 1 - ^Probim = 0) - ^Prob{yi = 0) • Prob[c^]] Prob[ci]^ (16) 



1 

2' 



84 for z = 1 ~ n — 2. Incorporate Eq. (14) and Eq. (15) into Eq. (16), one can obtain that Prob[xo 

85 Prob[xi] = 0.68, Prob[x2] = 0.59, Pr5U[x3] = 0.57, and Prob[xi] = 0.56 for i > 4. 

86 Now, one can assure that keyli and key2i can not be confirmed definitely with a probability larger 

87 than or equal to (1 — ^)"'° = and i respectively, where uq is cardinality of the set {k\B(k) S 

88 {2, 3}, A; = ~ 8MN/n — 1}. Therefore, one can conclude that set {keyl, key2} can be reconstructed in 

89 a very high probability. According to the pre-defined condition keyl ^ key2, there are only two possible 

90 combinations of keyl and key2. Let {keyl* , key2*) denote the searched version of {keyl, key2). When there 

91 exists i G {0, • • • , n — 2} satisfying that s{k, i) = 1, one can obtain approximate scope of B{k), 

^*tj^\ ^ f{2,3} if key{k)i = keyl* and key{k)i / key2*; 

[{0,1} if key{k)i = key2* and key{k)i^ keyl*, 

192 for /c = ~ 8MN/n — 1. From Proposition [2] and Eq. one can obtain the scope of B{k), 

]B(A:) = /^1'^^ if (J((fc)e Ji(fc))mod2 = 0; ^^^^ 
1 {0, 2} otherwise, 

193 for /c = ~ 8MN/n — 1. Then, the approximate value of B{k) can be obtained by setting B*{k) = 
i,.M*{k)f]M{k) for = ~ 8MN/n - 1. 

195 Proposition 2. Assume that a and x are both n-bit integers and n G Z^, {{a + x) ®x) has the same parity 

196 as a and {{a + x) x) has opposite parity as a. 

197 Proof. Existence of four equations 

((1 + xq) mod 2)®xo = 1, 
{{0 + xo) mod 2)®xo = 0, 
{{1 + xo) mod 2) 0X0 = 0, 
((0 + xo) mod 2) 0X0 = 1, 

198 is independent of xq, so the proposition is proved. ■ 

199 Finally, one can conclude that {keyl*, key2*) = X]r=o^ keyl* ■ 2*, YIIZq key2* • 2*, and {B* {k)}^^^^"" ^ 

200 can work together as equivalent secret key of MCKBA/HCKBA due to the following two points: 1) 

201 {keyl, key2, B{k)) = {a,b,c) and {keyl,key2, B{k)) = (6, a, (c + 2) mod 4) are equivalent for Eq. (Q; 

202 2) Proposition [s] illustrates that the unknown most significant bit of keyl* and key2* has no influence on 

203 decryption of MCKBA/HCKBA. 
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\ Proposition 3. Assume that a and x are both n-bit integers, n G one has the following two equations 

(a e x)-x = {a®x® 2""^)-(x 2""^), 

(a e x)-x = (a e xe2"-i)-(x e 2""^). 



Proof. See the proof of Proposition 1 in Li et al.. 2011 



To verify the real performance of the above analysis, some experiments are carried out on some plain- 
images of size 512 x 512 when n = 32. When xq = 319684607/2^2, keyi = 3835288501, and key2 = 
1437224678. Two known plain-images "Peppers" and "Baboon", and the corresponding cipher-images are 



8AfAf/n-l 



210 adopted. Equivalent key keyl* , key2* and {-B*(/c)}^^q 

211 in Fig. [T^) and the recovered result is shown in Fig. [Tja) 



is used to decrypt another cipher-image shown 




3.3. Chosen- plaintext attack 

Chosen-plaintext attack is an enhanced version of known-plaintext attack, where the plaintext can be 

4 chosen arbitrarily to obtain the information about the secret key in a more efficient way. In this subsection, 

5 the chosen-plaintext attack on MCKBA/HCKBA is briefly introduced due to the following two points: 
1) the known-plaintext attack on MCKBA/HCKBA works well in a relatively high probability and the 
chosen-plaintext version can improve its performance a little; 2) the underlying theorem supporting the 



attack proposed in |Li et al. 2011, Theorem 1] is not right and corrected in Proposition 4. 

Proposition 4. Assume that a, f3, x are all n-bit integers, then a lower bound on the number of queries 
220 (a,/3) to solve Eq. in terms of modulo 2""^ for any x is 1 if n = 2; 2 if n > 2. 

Proof When n = 2, one can obtain xq = yi by choosing (aO)/?o) = (1)0)- When n > 2, yi may be 
equal to zero or one no matter what (ao,/3o) is, which means that it is impossible to satisfy the con- 
dition of Property 3 for any x. So, we have to resort to another query (a',/3'). Let a.[, (i[,y[,y[ and c[ 
denote the counterparts of ai, f3i,yi,yi, and Cj corresponding to (a',/3'). Given a set of (aj+jt, and 
(a-+fc,/3-+fc), one can obtain {ci+k+i,yi+k+i) and (c'^+^+i, from {ci+k,yi+k) and {cf^^k^y'^^^), respec- 

tively, where i, k are non- negative integers. Let arrows of plain head and "V-back" head denote Xi^k = 
and Xj+jt = 1, respectively. Fig. 1 illustrates the mapping relationship between (cj+j^, ^i+fc, c^_,_^, and 
{ci+k+i,yi+k+i,c'^^k+vyi+k+i) foi' a given (oj+fc, A+fc, a^+fc, /?i+fc), where A; = 0, 1. Since (cq, yo, c'q, y^) = 
(0, 0, 0, 0), the dashed arrows in Fig. [2] describe operations of Eq. ([T]) in the two least significant bit planes 
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corresponding to two set of (a,/3). Note that the data in the third column is exactly the same as the first 
one. Therefore, Fig. [2] demonstrates operations of Eq. ([T]) under all different bit levels if the variable i goes 
through 3 • t, where t = L'^/^J and i + k < n — 1. Referring to Fig. [2| it can be easily verified that 

221 is always satisfied, which means that be derived from Table 1. ■ 
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Fig. 2. Relationship between {ci+k^Vi+k, c'l+k'Vi+k) a^nd {ci+k^Vt+k, c[^k^y[^f.) for a given (ai+fe,/3i+fc, a-+fe,/3-+fc), where 
fc = 0,1. 



Under scenario of chosen-plaintext attack, one may make the plaintext satisfy that at least one pair 
of elements in {( Ji(fe), J2(/c)) \ B{k) G {0,1}} whose i-th bit plane satisfy the condition of Property 3. 
The same case exists for {( Ji(A;), J2(A:)) \ B{k) G {2,3}}. The expected chosen-plaintext can be obtained 



225 in a high probability by assigning {Ji{k), J2{k)) with one of the two sets of number given in Corollary 3.1 

226 randomly. Compared with the known-plaintext attack, the chosen-plaintext attack has the following two 

227 superior performances: 1) the set {keyl, key2} can be reconstructed with much less complexity and much 

228 higher degree of accuracy; 2) the bits of key{k) can be confirmed with a little higher probability, where 
/c = ~ 8MN/n - 1. 



230 
231 



Corollary 3.1. The (n — 1) least significant bits of x in Eq. |ip can be determined easily by setting (a,/3) 
with the following two sets of numbers 



E -If '(00)2 • mod 2", (j2[=o^ '(10)2 • mod 2"| , 

{ (Ellf "V0)2 • 4^) 2", ''(01)2 • 4^) mod 2"} , 

232 and checking the corresponding y = y ® a® (5. 

233 Proof. The proof is straightforward and therefore omitted. ■ 

234 4. Conclusion 

235 In this paper, the security of the image encryption algorithm MCKBA/HCKBA has been re-studied in 

236 detail. Based on some properties of a composite function composed of modulo addition and XOR operation. 
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237 a known-plaintext attack and an improved chosen-plaintext attack were provided to determine an equivalent 

238 secret key of MCKBA/HCKBA. The cryptanalysis provided in this paper sheds some light on breaking 

239 other encryption schemes based on multiple combination of the modulo addition and XOR operations. 
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